Taking payments? Get ready for changes to the European Payment Services Directive.

Introduction

The rules for accepting payments in Europe are changing. The European Payment Services Directive (PSD2) has been updated with a new set of requirements designed to combat fraud, increase efficiency and drive innovation by improving customer identification and payment processing transparency.
The deadline for implementation is fast approaching but the guidance to date, especially for certain sectors and use cases, has been a bit vague. So, what does this mean for your business?

What is changing?

From 14th September 2019, additional customer authentication is required for certain types of payments. Merchants that haven’t implemented support for these requirements in time may face declined customer payments.

Online and face-to-face point of sale transactions, where the cardholder is present to provide their details, will be subject to additional checks. The customer may be asked to provide an additional “factor” of authentication to prove their identity; by using chip and PIN for otherwise contactless payments, or with a security code sent to their device or generated by their banking app, for online transactions.

This is referred to as Strong Customer Authentication (SCA) and will be applied if any of the following conditions are met:

The number of consecutive contactless transactions since the last application of SCA exceeds five

What does this mean for my contact centre?

The requirements for Strong Customer Authentication do not apply to payments made over the telephone when the cardholder is not present. So, good news?
Well, yes but merchants that, for example, process payments by writing details down and use an online consumer channel to process the payment, or any other non-compliant process, will be caught out by these changes if additional authentication, that only the customer “knows” is requested, further reinforcing the need to be compliant with the Payment Card Industry Data Security Standard (PCI DSS).

Even where compliant with the PCI DSS, contact centres need to be aware that as other payment channels are made more secure, fraud will naturally move to the telephone adding pressure to contact centre systems and putting personnel at risk as they become increasingly targeted by fraudsters.
In any event, if customers’ payments are declined, or assistance is required, no matter what the payment channel, they are likely to get in touch via your contact centre or customer service team.

What should I do now?

Make sure you’re involved in any planned communications with your customers and customer-facing colleagues about the implementation of PSD2 and SCA. Contact staff often know the customer base best; be sure to use that knowledge to help inform your customers about the forthcoming changes and be prepared for service calls to support customers that may need assistance with other payment channels.

Review your payment channels and business processes and talk to your merchant services provider to ensure that your contact centre is PCI DSS compliant and that your telephone payments are correctly labelled to ensure exemption from SCA.

If you are exposing your business to payment card holder data, then you need to be aware of the increased risk and consider the implications in terms of your liability for fraudulent transactions or data breach. Consider that by exposing your agents to card holder data, you are making them a target for organised crime…

Organisations are increasingly removing card holder data from the contact centre or company systems altogether by employing now widely available, third-party technologies and services that can collect and secure card holder data remotely to remove their financial exposure to the growing risk of fraud they are facing.

Tom currently heads up Research and Development at Ultracomms and has a seat on the Contact Centres Council for the Direct Marketing Association in the UK. With a background in Electronic and Software Engineering, Tom co-founded Ultracomms in 2004, building the first cloud contact centre service offering in Europe. In 2007, Tom led the team that developed the Ultracomms PaySure product portfolio in response to the emerging PCI standards, and has since worked with Ultracomms’ customers and QSA partners to secure their contact centre payment processes. Tom helped Ultracomms achieve their own PCI DSS Level 1 Service Provider status for delivering contact centre services from the cloud in 2016. To contact Tom, email tom.davies@ultracomms.com.